Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.

Jaguar Land Rover moved their cybersecurity and IT functions to TCS two years ago 🫡

Jaguar Land Rover is ransomware, I can see network traffic from infrastructure used by multiple e-crime groups over the past week. I've asked one I think likely responsible if they did it.

They (JLR) appear to be doing contain to eradicate, i.e. all UK border services shut, Windows infrastructure offline etc.

Jaguar Land Rover latest from the outside looking in.

AS205756 aka JAGUAR LAND ROVER AUTOMOTIVE PLC is shut down - UK network only (however it hosts their most important infrastructure).

Staff have been told not to turn up to manufacturing facilities.

Tata Motors (parent company) appears to be online still but looks like a mess on Shodan, e.g. lots of SAP Netweaver boxes dangling directly off the internet.

JLR - network border all still offline. Liverpool Echo reports factory production still at all stop.

The lapsus$ guys are taking credit for the Jaguar Land Rover thing, speed run to see how many times they can get v&'d in 5 years.

I can see ecrime infrastructure was talking to this at JLR https://beta.shodan.io/host/185.193.35.39

It's a SAP Netweaver box. The Lapsus$ kids have been running around with a SAP exploit for a while, prior thread reference: https://cyberplace.social/@GossiTheDog/115005311849134541

The lapsus$ guys also posted this screenshot, on an internal Jaguar Land Rover SAP box last night:

Unfortunately this thread broke in half due to me forgetting to bookmark a toot - here’s the original half https://cyberplace.social/@GossiTheDog/115134898389127599

The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o

To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.

Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513

Separately, the network border is also still offline (I have monitoring in place to see when they come back online).

If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.

They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.

This isn't anything against the LAPSUS guys btw as they're basically having a five year ninja fight with Mandiant, DART, cyber standards and law enforcement while playing teenage Mr Bean and lets be honest... that's pretty funny and eye opening.

ITV reports Jaguar Land Rover has shut down car production in the UK, Slovakia, China, India and Brazil.
https://www.itv.com/news/2025-09-04/jaguar-land-rover-temporarily-halts-all-car-production-following-cyber-attack

ITV News 6pm lead story on Jaguar Land Rover

Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.

https://www.youtube.com/watch?v=V4xQz0iKK4g

JLR is keeping all factory production suspended today, tomorrow, Sunday and at least Monday (possibly longer) in UK, Slovakia, China, India and Brazil.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-staff-until-32413174

JLR direct employ 32k people in the UK so I imagine there's going to be ripple effects on the wider economy off the back of this one the longer it goes on.

Meanwhile the LAPSUS guys were busy posting large numbers of US defense Top Secret marked documents last night. They've since been deleted from Telegram.

One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.

When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.

JLR UK have got one internet facing system back online - wslx.jlrext.com

Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.

Just checked in on JLR - factory production won't be resuming tomorrow (day 7).

Jaguar Land Rover car production is still shut down tomorrow, day 8. I’ve checked the network border, everything except one system in UK is also still offline.

JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.

https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659

JLR have started switching border routers back on (don't ask me why SNMP, NTP and SSH are internet facing).

JLR shouldn't feel bad, Tata Motors (their parent) is way worse shape. They've even got Exchange Server with OWA internet facing without MFA.

Jaguar Land Rover have told factory workers worldwide to stay home until at least next Wednesday, which will be 17 days since the cyber incident began. https://www.bbc.co.uk/news/articles/c3e712nvyz9o.amp

Unite are calling on the government to urgently intervene over the Jaguar Land Rover cyber incident, to introduce a furlough scheme for JLRs suppliers.

https://www.unitetheunion.org/news-events/news/2025/september/jlr-supply-chain-workers-impacted-by-cyberattack-must-receive-government-support-says-unite

JLR have lost between £50m-£100m so far according to BBC estimates https://www.bbc.co.uk/news/articles/czdjn0lv64ro

If anybody is interested, TCS’ website says JLR outsourced cybersecurity (not sure which bits) to it a few years ago.

TCS also run security operations and monitoring for Co-op (my old team) along with their IT and IT helpdesk, and M&S secops monitoring, IT and IT helpdesk.

Jaguar Land Rover have extended their manufacturing shutdown until at least next Wednesday, the 24th of September. https://www.theguardian.com/business/2025/sep/16/jaguar-land-rover-production-shutdown-cyber-attack

In my own story, I discovered JLR outsourced different cybersecurity areas to TCS and then made many of the UK team redundant 6 months ago.

https://doublepulsar.com/the-elephant-in-the-biz-outsourcing-of-critical-it-and-cybersecurity-functions-risks-uk-economic-96205e0585bf

The BBC report just over 100k jobs sit outside Jaguar Land Rover in the supply chain, those staff are being told to apply for universal credit and the shut down could last until November. https://www.bbc.co.uk/news/articles/c784nwvj1l3o